Theories Used in Information Security Research: Survey and Agenda

Theories Used in Information Security Research: Survey and Agenda

Serkan Ada (State University of New York, USA)
DOI: 10.4018/978-1-60566-132-2.ch017
OnDemand PDF Download:


This chapter discusses the recent theories used in information security research studies. The chapter initially introduces the importance of the information security research and why it became so important recently. Following this introduction, “theory” is defined and the importance of the theories in information security research is mentioned. After this discussion, recently used theories (socio-technical systems theory, activity theory, distributed cognition theory, general deterrence theory, grounded theory, social cognitive theory) are listed and basic information about these theories as well as applications from the literature are given. Other recently used theories are also summarized in a table in the next section. The chapter finally ends with concluding remarks on the theories and recommendations to the researchers in the information security area.
Chapter Preview


In today’s global and competitive business environment, organizations are becoming increasingly dependent on information and dissemination of the information. Such being the case, the use of computer-based information systems as well as globally scattered computer networks is of great importance in order to meet these requirements. On the other hand, this dependency makes organizations’ information systems progressively more vulnerable to outside attacks and/or internal security breaches which may cause financial losses and disruption of the business activities (Siponen, 2005) (Choobineh et al., 2007).

In order to better comprehend the significance of the problems mentioned above, it is beneficial to take a look at the findings of the recent study conducted by Computer Security Institute. According to this study (CSI Survey, 2007), 46% of the 487 survey respondents reported that their organization was exposed to at least one security incident in the past 12 months. Another very significant statistic shows that organizations’ total financial losses due to computer security incidents are approximately $66,930,950 in 2007 (based on the responses from managers of 194 companies). More interestingly, 27% of the respondents also reported that up to 20% of the cyber losses is caused by the people inside the organization, while this proportion is 37% for the cyber losses greater than 20% (Richardson, 2007). In light of the findings, as mentioned above, it is obvious to conclude that proper management of information systems security is vital and inevitable. In addition to this very fact, it is also of great importance for academic environments to attach more importance to the information security related issues in organizations.

How academic environments approached these issues are summarized in a review paper on Information Security Research (Willison & Siponen, 2007). This study reports that there are 1280 security related papers published in 3 IS Security journals and 20 IS journals between 1990-2004. Out of these papers, only 18.51% include a theory as a framework the study. Based on the fact that the application of the theories and appropriate research methods are essential for any research study, it is our belief that academic researchers should attach more importance on the creation, adoption, and/or application of the theories from the literature (Willison & Siponen, 2007). Drake and Clarke (2008) also offer a model to suggest solutions and guidelines to fill the information security research gaps by using social theories, various aspects of which deal with both human and technical issues from the perspective of those involved in the system of concern.

In this chapter, it is our objective to present some of the related theories used in the context of Information Security in order to bring this issue to the academic researchers’ notice. As also mentioned by Choobineh et al. (2007), theoretical conceptualizations are necessitated in order to create more effective principles and guidelines for “best practices” in information security management and to develop solutions for the related problems (Choobineh et al., 2007). Because of this, we would like to encourage researchers to utilize these theories or adopt other related theories from the literature for their research studies.

The remaining of this chapter is organized as follows. The next section discusses what the theory is and why the theories are used in research studies. Following this section, we will discuss the related theories used in Information Security Research (Socio-technical Systems Theory, Activity Theory, Distributed Cognition Theory, General Deterrence Theory, Grounded Theory, and Social Cognitive Theory). After discussion of these theories, other recent theories used in the literature will be briefly mentioned. Finally, the chapter will conclude with the conclusion and discussion section.

Key Terms in this Chapter

Social Cognitive Theory: A model on human behavior which argues that environmental influences, personal factors, and behavior are determined reciprocally.

Socio-Technical Systems Theory: An approach that considers organizations as the combination of both social and technical systems in order to increase the productivity.

Distributed Cognition Theory: An approach which considers cognition as a distributed phenomenon.

Theory: “A set of interrelated variables, definitions, and propositions that presents a systematic view of phenomena by specifying relations among variables, with the purpose of explaining natural phenomena.”

Grounded theory: A systematic and qualitative methodology of developing theories based on the systematically collected and analyzed data.?

Self-Efficacy: “People’s judgments of their capabilities to organize and execute courses of action required to attain designated types of performances.”?

Computer Security Model: A multilayer model which shows the steps in computer security including the measures and the next actions of the security abusers after being successful against a security measure.

Activity Theory: An approach which proposes that human activity aims at accomplishing certain outcomes through the help of artifacts and other resources.?

General Deterrence Theory: A term adopted from the discipline of criminology, which is about the disincentives and sanctions to prevent a criminal act in security.?

Complete Chapter List

Search this Book:
Editorial Advisory Board
Table of Contents
John Walp
Manish Gupta, Raj Sharman
Chapter 1
C. Warren Axelrod
This chapter examines the impact of catastrophes on information security and suggests who might have responsibility for maintaining an appropriate... Sample PDF
Responsibilities and Liabilities with Respect to Catastrophes
Chapter 2
David Porter
This chapter discusses the latest developments in the shifting threat landscape and their impact on the world of information security. It describes... Sample PDF
The Complex New World of Information Security
Chapter 3
Ahmed Awad E. Ahmed
In recent years, many studies have highlighted the unprecedented growth in security threats from multiple and varied sources faced by corporate, as... Sample PDF
Employee Surveillance Based on Free Text Detection of Keystroke Dynamics
Chapter 4
Arunabha Mukhopadhyay, Samir Chatterjee, Debashis Saha, Ambuj Mahanti, Samir K. Sadhukhan
An online business organization spends millions of dollars on firewalls, anti-virus, intrusion detection systems, digital signature, and encryption... Sample PDF
E-Risk Insurance Product Design: A Copula Based Bayesian Belief Network Model
Chapter 5
Guoling Lao
E-commerce mode aggravates information asymmetry so that honesty-credit problems become more serious. This chapter discusses the honesty-credit... Sample PDF
E-Commerce Security and Honesty-Credit
Chapter 6
Zhixiong Zhang, Xinwen Zhang, Ravi Sandhu
This chapter addresses the problem that traditional role-base access control (RBAC) models do not scale up well for modeling security policies... Sample PDF
Towards a Scalable Role and Organization Based Access Control Model with Decentralized Security Administration
Chapter 7
Chandan Mazumdar
There has been an unprecedented thrust in employing Computers and Communication technologies in all walks of life. The systems enabled by... Sample PDF
Enterprise Information System Security: A Life-Cycle Approach
Chapter 8
Peter O. Orondo
Most companies would agree that securing their information assets is worth some investment. It is thus plausible to assume that low levels of IT... Sample PDF
An Alternative Model of Information Security Investment
Chapter 9
George O.M. Yee
The growth of the Internet is increasing the deployment of e-services in such areas as e-commerce, e-learning, and e-health. In parallel, the... Sample PDF
Avoiding Pitfalls in Policy-Based Privacy Management
Chapter 10
Supriya Singh
Enabling customers to influence the way they are represented in the bank’s databases, is one of the major personalization, responsiveness, and... Sample PDF
Privacy and Banking in Australia
Chapter 11
Madhusudhanan Chandrasekaran, Shambhu Upadhyaya
Phishing scams pose a serious threat to end-users and commercial institutions alike. E-mail continues to be the favorite vehicle to perpetrate such... Sample PDF
A Multistage Framework to Defend Against Phishing Attacks
Chapter 12
Ghita Kouadri Mostefaoui, Patrick Brézillon
In recent years, the security research community has been very active in proposing different techniques and algorithms to face the proliferating... Sample PDF
A New Approach to Reducing Social Engineering Impact
Chapter 13
Yang Wang
Privacy-enhancing technologies (PETs), which constitute a wide array of technical means for protecting users’ privacy, have gained considerable... Sample PDF
Privacy-Enhancing Technologies
Chapter 14
Douglas P. Twitchell
This chapter introduces and defines social engineering, a recognized threat to the security of information systems. It also introduces a taxonomy... Sample PDF
Social Engineering and its Countermeasures
Chapter 15
Tom S. Chan
Social networking has become one of the most popular applications on the Internet since the burst of the dot-com bubble. Apart from being a haven... Sample PDF
Social Networking Site: Opportunities and Security Challenges
Chapter 16
James W. Ragucci, Stefan A. Robila
Fraudulent e-mails, known as phishing attacks, have brought chaos across the digital world causing billions of dollars of damage. These attacks are... Sample PDF
Designing Antiphishing Education
Chapter 17
Serkan Ada
This chapter discusses the recent theories used in information security research studies. The chapter initially introduces the importance of the... Sample PDF
Theories Used in Information Security Research: Survey and Agenda
Chapter 18
Samuel Liles
Information assurance education is an interdisciplinary endeavor that only when taken as a holistic and inclusive educational activity can be... Sample PDF
Information Assurance and Security Curriculum Meeting the SIGITE Guidelines
Chapter 19
Gary Hinson
This chapter highlights the broad range of factors that are relevant to the design of information security awareness programs, primarily by... Sample PDF
Information Security Awareness
Chapter 20
Nick Pullman, Kevin Streff
Security training and awareness is often overlooked or not given sufficient focus in many organizations despite being a critical component of a... Sample PDF
Creating a Security Education, Training, and Awareness Program
Chapter 21
E. Kritzinger, S.H von Solms
This chapter introduces information security within the educational environments that utilize electronic resources. The education environment... Sample PDF
Information Security Within an E-Learning Environment
Chapter 22
Donald Murphy, Manish Gupta, H.R. Rao
We present five emerging areas in information security that are poised to bring the radical benefits to the information security practice and... Sample PDF
Research Notes on Emerging Areas of Conflict in Security
Chapter 23
C. Orhan Orgun
This chapter develops a linguistically robust encryption system, LunabeL, which converts a message into syntactically and semantically innocuous... Sample PDF
The Human Attack in Linguistic Steganography
Chapter 24
Sérgio Tenreiro de Magalhães, Kenneth Revett, Henrique M.D. Santos, Leonel Duarte dos Santos, André Oliveira, César Ariza
The traditional approach to security has been the use of passwords. They provide the system with a barrier to access what was quite safe in the... Sample PDF
Using Technology to Overcome the Password's Contradiction
Chapter 25
Antonio Cerone
Reducing the likelihood of human error in the use of interactive systems is increasingly important. Human errors could not only hinder the correct... Sample PDF
Formal Analysis of Security in Interactive Systems
Chapter 26
Tejaswini Herath
It is estimated that over 1 billion people now have access to the Internet. This unprecedented access and use of Internet by individuals around the... Sample PDF
Internet Crime: How Vulnerable Are You? Do Gender, Social Influence and Education play a Role in Vulnerability?
Chapter 27
Jarrod Trevathan
Shill bidding is where spurious bids are introduced into an auction to drive up the final price for the seller, thereby defrauding legitimate... Sample PDF
Detecting Shill Bidding in Online English Auctions
Chapter 28
Carsten Röcker, Carsten Magerkurth, Steve Hinske
In this chapter we present a novel concept for personalized privacy support on large public displays. In the first step, two formative evaluations... Sample PDF
Information Security at Large Public Displays
Chapter 29
Yuko Murayama, Carl Hauser, Natsuko Hikage, Basabi Chakraborty
The sense of security, identified with the Japanese term, Anshin, is identified as an important contributor to emotional trust. This viewpoint... Sample PDF
The Sense of Security and Trust
About the Contributors